Big problems with CoolWWWsearch

[Deathtopopups]

Hello!

I've read several forums on this topic, tried and tried, but to no avail of getting rid of it.

I've ran Ad-aware which is saying it isn't finding anything anymore, but spybot is getting the same ones that come back after rebooting, these are:

----

IGetNet 1 Entries
Common hijacker 2 Entries
CoolWWWSearch.Bootconf 1 Entries
CoolWWWSearch.Loadbat 1 Entries
CoolWWWSearch.Msconfd 1 Entries
CoolWWWSearch.Oslogo 1 Entries
CoolWWWSearch.Tapicfg 1 Entries
CoolWWWSearch.XmImimefilter 1 Entries

---


I've also ran an updated version of CWShredder, when it gets to the second item on the list it is trying to delete it freezes and I get and error message and it closes.

I've been getting more and more pop ups are time goes on, and I'm also now getting a winlogon error message after start up.

As I searched through other forums, I came across this person's problem(http://forums.techguy.org/showthread...9&page=1&pp=15) and it looks nearly the same as mine, but I'm getting lost in the steps and need a little more assistance.

I've tried nearly everything I can, and everything seems to be coming back on start up, the coolwwwsearch on Spybot, changed homepage (sometimes to about:blank) but usually a different one, several pop ups and winlogon error message.

Any help is appreciated, Thanks!

[Deathtopopups]

also, I've been getting a pop up that has been going to a blank page, I haven't had it recently, but it was along the lines of www.a-d-w-a-r-e.com/yyy

Hi Deathtopopups,

Sounds like you have the really nasty baddie that's been going around lately. We will likely need to undertake a special process to remove it. But, before we do, here is the standard speech:
Generally, it is a good idea to start with the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

Best luck
PP

[Deathtopopups]

Alright! Everything done now...


The online scans worked fine:

Trend's scan didn't pick up anything
Symantec's picked up one file -> C:\spb.exe is infected with W32.spybot.worm

------

I have been having a problem with the ad-aware plug-in VX2, I downloaded and installed it, and it isn't showing up after I click on the "Plug-ins" button in Ad-aware after opening, so I'm not sure if it scanned with it or not.. After the scan, again, it detected nothing.

-----

When I run spybot I continue getting the same detections from earlier, and when I click "fix selected problems" it fixes IGetNet and Common Hijacker, and won't fix the CoolWWWSearchs, I don't even get a message saying some problems may be fixed on start up from Spybot.

-----

I ran CWShredder and it is still freezing after getting to the second item on the list it is scanning for.

-----

About:Buster worked fine, I don't need the post the log file from it do I?

-----

My HijackThis file is attached as well.


Thanks with the help so far!

[Deathtopopups]

Also the frequent and puzzling pop up was... http://www.ad-w-a-r-e.com/normal/yyy12.html, I wouldn't suggest clicking that however.

[Deathtopopups]

Ack! Big mistake on my part... I have been using HijackThis version 1.98.2, I've re-downloaded and got a new log file, and it is attached. Still appreciating help though, but disregard the last hijackthis log!

[chaslang]

Quote:

Originally Posted by Deathtopopups

Ack! Big mistake on my part... I have been using HijackThis version 1.98.2, I've re-downloaded and got a new log file, and it is attached. Still appreciating help though, but disregard the last hijackthis log!

You're running it from the ZIP file. That's a no no! Locate it where Phillie specified.

[Deathtopopups]

Ooer, my mistake there too! Ok, everything should be fine now.. Log is attached!

Hi D2P,

HijackThis is still a problem - Hang in there Once we get it situated properly, we can go after the baddies in your log. This is Important, so let me know if you have trouble with the instructions below.

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To EXTRACT HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there and attach that log.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

PP

[Deathtopopups]

heh, ok I followed all the instructions and extracted it to its own folder and ran a new scan and saved the log... and it's attached, Heh, sorry to screw that up so bad.

Quote:

Originally Posted by Deathtopopups

heh, ok I followed all the instructions and extracted it to its own folder and ran a new scan and saved the log... and it's attached, Heh, sorry to screw that up so bad.

Don't worry about it! Things will, however, get more complicated. So, anytime you have a question - Ask it!

Removing all of the baddies will take a number of steps. We will save the worst for last.

Now, on to your malware!

I saw ARES earlier - You should Uninstall and dump it as it leads to headaches.

Now, please download this tool: LSP - Fix

Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Now, Reboot and then scan with HijackThis and attach that log and we’ll move on to some of the others.

PP

[Deathtopopups]

ok, ran LSP and removed what you said... Now here is the new HijackThis file

Hi D2P,

When you scan and fix with HijackThis, you need to make sure All browsers and other unnecessary programs are closed. They could interfere with the fix.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you it, try to END it if possible:

bqzhj.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [C:\WINDOWS\bqzhj.exe] C:\WINDOWS\bqzhj.exe

O4 - HKLM\..\Run: [SStb.exe] SStb.exe


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\WINDOWS\bqzhj.exe

SStb.exe ---> You may need to run a search of your computer for this one using Windows Explorer. It will probably be in either the C:\Windows or C:\Windows\System32 directory

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log. I know the 01 entries will come back. We'll work on those next!

PP

[Deathtopopups]

Alright... Sorry that took so long, my computer is going down... It's now starting the phase where it randomly turns off, I followed the instructions, and now here is the new log!

Quote:

Originally Posted by Deathtopopups

Alright... Sorry that took so long, my computer is going down... It's now starting the phase where it randomly turns off, I followed the instructions, and now here is the new log!

Okay! We are ready to take on the last one. It will take a couple of steps.

To Start, please download the following tools and have them handy:

Generic Detection Tool

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

http://www.downloads.subratam.org/KillBox.zip


NOW:

Unzip (Extract - as with HJT) the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log.

ALSO:

RUN DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log as well.

It's getting a bit late for me, so we'll have to pick this up again Thursday night. Go ahead and attach the logs and I'll check back when I get a chance.

PP

[Deathtopopups]

Check and Check! Logs are posted.

Quote:

Originally Posted by Deathtopopups

Check and Check! Logs are posted.

I always forget to mention to not reboot after sending the logs as the baddies change. If you have since rebooted, please attach fresh logs and then do not reboot until I check back. I will post the next step this evening when I have more time!

PP

[Deathtopopups]

Alright, hopefully the sudden fatal system error shut offs aren't going to get more frequent, but I'll try and keep this going as long as I can and the logs attached are the most current since the last reboot.

Hi D2P,

On to the next step:

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this. Probably a good idea to Print Out these instructions.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Off we go:

Now, run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\System32\G622LG~1.DLL
into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\dnl4013qe.dll
into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\enj0l11m1.dll
into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea – Now, continue the process for the rest:

C:\WINDOWS\SYSTEM32\ennul1591.dll
C:\WINDOWS\SYSTEM32\g0jo0a13ed.dll
C:\WINDOWS\SYSTEM32\g622lgfo162c.dll
C:\WINDOWS\SYSTEM32\g8lm0i31e8.dll
C:\WINDOWS\SYSTEM32\jt8207loe.dll
C:\WINDOWS\SYSTEM32\mv22l9fo1.dll
C:\WINDOWS\SYSTEM32\mzwdat10.dll
C:\WINDOWS\SYSTEM32\oqbcbcp.dll
C:\WINDOWS\SYSTEM32\r6r60g9se6.dll

Once you reach the end of the above list, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.


After your machine reboots, run DLL Compare again and make sure the log is clean. If it is not clean, REPEAT the above process on ALL new entries created On or After 12-23-04.

Also, look again for C:\WINNT\SYSTEM32\guard.tmp and, if it remains, fire up KillBox and Delete it using Standard File Kill option.

Once the DLL Compare Log is Clean, attach a copy and then run Findit.bat again and attach that fresh log as well and we’ll move on to the next step!

Best Luck
PP

[Deathtopopups]

Alright, the only thing that I couldn't do was find the guard.tmp file, but everything is ok!

The logs you specified are attached.